A server associates a permitted terminal identifier that identifies a permitted terminal permitted to perform tunnel communication to a first router with an endpoint address of a tunnel used in the communication of a permitted terminal. A second router that encapsulates a packet received from a requesting terminal, which requests the tunnel communication, inquires the server about an endpoint address associated with an identifier of the requesting terminal. The server notifies the second router of the target address that is the endpoint address associated with the identifier of the requesting terminal. The second router transmits the encapsulated packet to the target address. The first router to which the target address is allocated regards a received packet received at the target address as a packet used in the tunnel communication of the permitted terminal and decapsulates the received packet and then transmits the decapsulated packet to a communication destination.
|
3. A communication system comprising:
a server that associates
a permitted terminal identifier for identifying a permitted terminal permitted to perform tunnel communication with a first router apparatus set as an endpoint with
an endpoint address of a tunnel used in the communication of the permitted terminal;
a second router apparatus that inquires of the server an endpoint address associated with an identifier for identifying a requesting terminal that requests the tunnel communication and, when the endpoint address is notified from the server, encapsulates a packet received from the requesting terminal and transmits the packet to the endpoint address; and
the first router apparatus that regards a received packet received at the endpoint address as a packet used in the tunnel communication of the permitted terminal and decapsulates the received packet and then transmits the decapsulated packet to a communication destination of the requesting terminal, wherein
when the server detects an endpoint address associated with an identifier included in an inquiry message from the second router apparatus, the server notifies the second router apparatus of the endpoint address,
the second router apparatus is connected to a network in which a first protocol is used,
when the second router apparatus transfers, to the network, a packet that the requesting terminal has generated using a second protocol different from the first protocol, the second router apparatus acquires a prefix used for the tunnel communication from a third router apparatus belonging to the network,
the second router apparatus transmits an encapsulated packet to the first router apparatus using a generated address generated using the prefix, and
the first router apparatus does not store information in which the generated address and the identifier for identifying the requesting terminal are associated.
2. A communication method comprising:
associating, by a server, p2 a permitted terminal identifier for identifying a permitted terminal permitted to perform tunnel communication with a first router apparatus set as an endpoint with
an endpoint address of a tunnel used in the communication of the permitted terminal;
inquiring of the server an endpoint address associated with an identifier for identifying a requesting terminal, which requests the tunnel communication, by a second router apparatus that encapsulates a packet received from the requesting terminal;
notifying the second router apparatus of a target address that is the endpoint address associated with the identifier for identifying the requesting terminal by the server when the server detects the target address;
transmitting the encapsulated packet to the target address by the second router apparatus;
regarding a received packet received at the target address as a packet used in the tunnel communication of the permitted terminal by the first router apparatus to which the target address is allocated; and
decapsulating the received packet and then transmitting the decapsulated packet to a communication destination of the requesting terminal, wherein
the second router apparatus is connected to a network in which a first protocol is used,
when the second router apparatus transfers, to the network, a packet that the requesting terminal has generated using a second protocol different from the first protocol, the second router apparatus acquires a prefix used for the tunnel communication from a third router apparatus belonging to the network,
the second router apparatus transmits an encapsulated packet to the first router apparatus using a generated address generated using the prefix, and
the first router apparatus does not store information in which the generated address and the identifier for identifying the requesting terminal are associated.
1. A communication method comprising:
associating, by a server,
a permitted terminal identifier for identifying a permitted terminal permitted to perform tunnel communication with a first router apparatus set as an endpoint with
an endpoint address of a tunnel used in the communication of the permitted terminal;
inquiring of the server an endpoint address associated with an identifier for identifying a requesting terminal, which requests the tunnel communication, by a second router apparatus that encapsulates a packet received from the requesting terminal;
notifying the second router apparatus of a target address that is the endpoint address associated with the identifier for identifying the requesting terminal by the server when the server detects the target address;
transmitting the encapsulated packet to the target address by the second router apparatus;
regarding a received packet received at the target address as a packet used in the tunnel communication of the permitted terminal by the first router apparatus to which the target address is allocated; and
decapsulating the received packet and then transmitting the decapsulated packet to a communication destination of the requesting terminal, wherein
a first endpoint address and a second endpoint address which are endpoints of tunnel communication with the first router apparatus set as an endpoint are allocated to the first router apparatus,
when a first permitted terminal permitted to perform communication through a first transfer destination requests communication with the communication destination, the server notifies the second router apparatus of the first endpoint address and, when a second permitted terminal permitted to perform communication through a second transfer destination requests communication with the communication destination, the server notifies the second router apparatus of the second endpoint address, and
the first router apparatus transmits a first packet obtained by decapsulating a packet addressed to the first endpoint address to the first transfer destination and transmits a second packet obtained by decapsulating a packet addressed to the second endpoint address to the second transfer destination.
4. The communication method according to
when the endpoint address associated with the identifier for identifying the requesting terminal is not stored, the server determines that the requesting terminal is not the permitted terminal,
the server notifies the second router apparatus of a determination result, and
the second router apparatus stops transfer of the packet received from the requesting terminal.
5. The communication method according to
when the endpoint address associated with the identifier for identifying the requesting terminal is not stored, the server determines that the requesting terminal is not the permitted terminal,
the server notifies the second router apparatus of a determination result, and
the second router apparatus stops transfer of the packet received from the requesting terminal.
|
This application is based upon and claims the benefit of priority of the prior Japanese Patent Application No. 2011-53570, filed on Mar. 10, 2011, the entire contents of which are incorporated herein by reference.
The present invention relates to a method of communication via a network and a system in which the method is used.
In recent years, a network employing Internet Protocol Version 6 (IPv6) is introduced. However, many users use Internet Protocol Version 4 (IPv4) addresses. Therefore, a technique for performing communication employing IPv4 via a communication network corresponding to IPv6 is proposed in the Internet Engineering Task Force (IETF). Further, since it is likely that IPv4 addresses are exhausted, a technique for sharing one IPv4 global address among plural users is also developed.
For example, in a system employing Stateless Address Mapping (SAM), plural users can use one IPv4 global address to perform IPv4 communication by IPv6 tunneling. In the system employing SAM, an apparatus serving as an endpoint of a tunnel does not include a table or the like that records communication information such as mapping of IPv6 addresses and IPv4 addresses concerning individual users and conditions for permitting communication. Since the information such as the mapping of the addresses and the conditions for permitting communication increases according to the number of users, if the number of users increases, an amount of information stored in the table becomes enormous. When the information is changed according to an increase of users, a change of addresses, or the like, the table that records the mapping is also changed. Therefore, the system employing SAM is easily managed compared with a system in which individual tunnel routers include a table that records information concerning communication of users.
On the other hand, there is also known a system that includes, in communication information, information used for determining propriety of communication of individual users to thereby determine whether a tunnel router or the like permits connection of a user. For example, there is known a packet relay device that can determine propriety of passage of an IPv6 packet on the basis of stored policy information.
[Patent Literature 1]
Japanese Laid-Open Patent Publication No. 2006-352710
[Non Patent Literature 1]
Stateless Address Mapping (SAM)—a Simplified Mesh-Software Model draft-despres-softwire-sam-01
[Non Patent Literature 2]
IPv4 Residual Deployment across IPv6-Service networks (4rd) A NAT-less solution draft-despres-softwire-4rd-00
In the system employing SAM, policy information applied to individual users and information such as address mapping are not stored in a tunnel router. Therefore, when the tunnel router included in the system employing SAM is an endpoint of a tunnel, the tunnel router cannot determine whether a transmission source of a packet to be decapsulated is a registered user of a communication service employing tunneling. Therefore, in the system employing SAM, the communication service could be provided even to a user whose access a provider that provides the communication service by tunneling desires to reject.
On the other hand, if information concerning individual users is stored in a tunnel router, when user information is changed or a tunnel router is added, there is a problem in that management of the system is complicated.
In a communication method according to an embodiment, a server stores, in association with each other, a permitted terminal identifier for identifying a permitted terminal permitted to perform tunnel communication with a first router apparatus set as an endpoint and an endpoint address of a tunnel used in the communication of the permitted terminal. A second router apparatus that encapsulates a packet received from a requesting terminal, which requests the tunnel communication, inquires the server about an endpoint address associated with an identifier for identifying the requesting terminal. When the server detects a target address that is the endpoint address associated with the identifier for identifying the requesting terminal, the server notifies the second router apparatus of the target address. The second router apparatus transmits the encapsulated packet to the target address. The first router apparatus to which the target address is allocated regards a received packet received at the target address as a packet used in the tunnel communication of the permitted terminal and decapsulates the received packet and then transmits the received packet to a communication destination of the requesting terminal.
The object and advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the claims.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.
A customer edge router (IPv4 Residual Deployment customer edge, 4rd CE) 3 is connected to the private network 1 and the line provider network 4. In some case, the customer edge router 3 is referred to as customer SAM (C-SAM). However, in the following explanation, the customer edge router 3 is referred to as “customer edge router”. A tunnel router used in IPv4 over IPv6 tunneling communication and connected to the IPv4 Internet 11 is described as border router (IPv4 Residual Deployment Border Router, 4rd BR) 8. In some case, the border router 8 is referred to as provider SAM (P-SAM). However, in the following explanation, the border router 8 is referred to as “border router”.
When a packet received from the terminal 2 is an IPv4 packet and addressed to a communication apparatus not included in the private network 1, the customer edge router 3 determines that the received packet is a target of encapsulation. Therefore, the customer edge router 3 inquires an authentication server 13 about an endpoint address of a tunnel (a tunnel endpoint address) used in performing tunnel communication of the IPv4 packet received from the terminal 2. At this point, the customer edge router 3 notifies the authentication server 13 of an identifier for identifying the terminal 2.
The authentication server 13 has stored therein in advance an identifier of the terminal 2 of a user permitted to access the IPv4 Internet 11 via the border router 8. It is assumed that the authentication server 13 has also stored therein, in association with the identifier of the terminal 2, an endpoint address of a tunnel that the terminal 2 is permitted to use. When the authentication server 13 can detect an endpoint address stored in association with the identifier notified from the customer edge router 3, the authentication server 13 notifies the customer edge router 3 of the detected endpoint address. In other words, when it is confirmed that the terminal 2 is a terminal of a user having authority for tunnel communication (a registered user), the authentication server 13 notifies the customer edge router 3 of the endpoint address. In some case, a terminal used for communication of the registered user is described as “permitted terminal”.
When the endpoint address is notified from the authentication server 13, the customer edge router 3 encapsulates, with an IPv6 header, the IPv4 packet received from the terminal 2 and transmits the encapsulated packet to the notified endpoint address. On the other hand, when the endpoint address is not notified from the authentication server 13, the customer edge router 3 determines that the terminal 2 does not have authority to access the IPv4 Internet 11. Therefore, the customer edge router 3 does not transfer the IPv4 packet received from the terminal 2.
When the border router 8 receives the packet transmitted from the customer edge router 3, the border router 8 decapsulates the packet and transmits the packet to the IPv4 Internet 11. At this point, the border router 8 regards a packet addressed to an endpoint address allocated to the border router 8 as a packet from a registered user of a network at a transfer destination. In other words, the border router 8 determines that a packet reaching the endpoint address is the packet from the registered user and performs decapsulation and transfer without performing authentication.
In the communication method explained above, it is possible to prevent unauthorized access to the IPv4 Internet 11 without checking whether respective packets received by the border router 8 are packets from users having authority to access the IPv4 Internet 11. Therefore, tunnel routers such as the border router 8 and the customer edge router 3 do not have to manage a state of permission of communication for a user.
<Apparatus Configuration>
An example of the configuration of the apparatuses included in
The line interface 111a connects the customer edge router 3 to the private network 1. The line interface 111b connects the customer edge router 3 and the line provider network 4. In some case, the number of line interfaces 111 is arbitrarily changed according to implementation.
The packet transferring processor 113 outputs a packet received from the line interfaces 111a and 111b to the path controller 120 and inquires the path controller 120 about a transfer destination. When a transfer destination is notified from the path controller 120, the packet transferring processor 113 outputs the packet to the line interface 111a or 111b according to the notified transfer destination. For example, it is assumed that a packet received from a terminal 2A included in the private network 1 via the line interface 111a is transferred to a terminal 2B included in the private network 1. In this case, the packet transferring processor 113 is instructed to transmit the packet received from the path controller 120 to the terminal 2B in the private network 1. Then, the packet transferring processor 113 transmits the received packet from the line interface 111a to the terminal 2B. On the other hand, as explained later, when instructed to transmit an encapsulated packet to the line provider network 4, the packet transferring processor 113 outputs the packet to the line interface 111b.
The path controller 120 determines a transfer destination of a packet input from the packet transferring processor 113 or the SAM controller 130 referring to the IPv6 routing table 141 or the IPv4 routing table 142. The path controller 120 notifies the packet transferring processor 113 of the transfer destination. The path controller 120 outputs a packet used for tunnel communication to the encapsulating processor 132. For example, the path controller 120 outputs an IPv4 packet received from the private network 1 and transferred to the line provider network 4 to the encapsulating processor 132. The path controller 120 outputs a packet, a destination address of an outer header of which includes an IPv6 prefix for SAM, to the encapsulating processor 132 when the path controller 120 received the packet from the line provider network 4. It is assumed that the IPv6 prefix for SAM is set in advance and stored in the path controller 120 and the address information processor 134.
The TEPA processor 131 generates a control message for inquiring about an endpoint address. In the following explanation, in some case, the control message for inquiring about an endpoint address is described as “inquiring message”. When a control message for notifying an endpoint address is received by the customer edge router 3 from the authentication server 13, the TEPA processor 131 processes the received control message and acquires an endpoint address. In the following description, in some case, the control message that transmitted to the customer edge router 3 to notify an endpoint address from the authentication server 13 is described as “address notification message” or “TEPA notification message”. The TEPA processor 131 can cause the address information processor 134 to store the endpoint address acquired from the address notification message.
The encapsulating processor 132 encapsulates a packet transferred to the line provider network 4 by adding an outer header to the packet. On the other hand, the encapsulating processor 132 decapsulates a packet transferred to the private network 1 by removing an outer header as appropriate.
The user information processor 133 has stored therein user information and notifies the user information according to a request from the TEPA processor 131 or the like. In the following explanation, the user information is a combination of a user ID (identification) and a password of a user who uses the terminal 2. The user information can be arbitrary information with which the terminal 2 that requests tunnel communication or a user who uses the terminal 2 can be uniquely specified. Further, the user information processor 133 can also store character strings used for authentication such as a user ID and a password in association with an identifier for identifying the terminal 2.
The address information processor 134 stores information concerning a prefix set in advance to perform communication by SAM. In other words, the address information processor 134 stores an IPv4 prefix and an IPv6 prefix used in the communication by SAM. The address information processor 134 calculates, using these prefixes, an IPv6 address, an IPv4 global address, a port number allocated to the customer edge router 3. Further, the address information processor 134 stores address determination rules common to the address information processor 232 (
The NAPT table 143 stores the IPv4 global address calculated by the address information processor 134 in association with an IPv4 private address used by the terminal 2. The encapsulating processor 132 refers to the NAPT table 143 in encapsulating and decapsulating a packet.
The line interface 211a connects the border router 8 to an apparatus such as the IPv6 router 7 included in the ISP network 6. The line interface 211b connects the IPv4 Internet 11 and the border router 8. In some case, the number of line interfaces 211 is arbitrarily changed according to implementation. The packet transferring processor 213 outputs a packet received from the line interface 211 to the path controller 220 and inquires the path controller 220 about a transfer destination. When a transfer destination is notified from the path controller 220, the packet transferring processor 213 outputs the packet to the line interface 211a or 211b according to the notified transfer destination.
The path controller 220 determines a transfer destination of a packet input from the packet transferring processor 213 or the encapsulating processor 231 referring to the IPv6 routing table 241 or the IPv4 routing table 242. The path controller 220 notifies the packet transferring processor 213 of the transfer destination. The path controller 220 outputs an IPv6 packet, a destination of which is an endpoint address allocated to the border router 8, to the encapsulating processor 231. Further, path controller 220 also outputs a packet transferred to the ISP network 6 among packets received by the border router 8 from the IPv4 Internet 11 to the encapsulating processor 231.
The encapsulating processor 231 checks a type of a packet input from the path controller 220 to thereby determine which of encapsulation processing and decapsulation processing is applied to the packet. The encapsulating processor 231 determines that an IPv6 packet is a target of decapsulation and determines that an IPv4 packet is a target of encapsulation. Therefore, for example, the encapsulating processor 231 removes an outer header of the IPv6 packet received from the IPv6 router 7 via the transfer controller 210 or the like and converts the IPv6 packet into the IPv4 packet. On the other hand, the encapsulating processor 231 adds an outer header to the IPv4 packet received from the IPv4 Internet 11 and converts the IPv4 packet into the IPv6 packet. At this point, the encapsulating processor 231 requests the address information processor 232 to input an IPv6 address used for encapsulation.
The address information processor 232 performs mapping from an IPv4 address to an IPv6 address according to the request of the encapsulating processor 231 and outputs an obtained IPv6 address to the encapsulating processor 231. In the mapping, the address information processor 232 uses rules same as the address determination rules used by the address information processor 134 (
The line interface 311 connects the authentication server 13 to the IPv6 router 7. The packet transferring processor 312 receives an inquiry message from the IPv6 router 7 via the line interface 311. Further, the packet transferring processor 312 transmits an address notification message to the customer edge router 3 via the line interface 311. The authentication processor 321, when receiving the inquiry message, searches for an endpoint address associated with user information included in the inquiry message referring to information stored in the user information table 322.
<First Embodiment>
(1) The terminal 2 transmits a control packet including user information to the customer edge router 3. It is assumed that the user information is a user ID “user1” and a password “password11”. When the customer edge router 3 receives the control packet via the line interface 111a, the customer edge router 3 stores the user ID and the password notified from the terminal 2 in the user information processor 133.
(2) The IPv6 router 5 notifies an IPv6 prefix used by the customer edge router 3 in performing IPv6 communication. It is assumed that “2001:db8:abcd::/48” is notified to the customer edge router 3. Then, the address information processor 134 generates, on the basis of the notified prefix, an IPv6 address used by the customer edge router 3 in transmitting a packet to the line provider network 4. The address information processor 134 determines an IPv6 address used by the customer edge router 3 as “2001:db8:abcd: 1::1” on the basis of (d) and (e) of the address generation rules. The address information processor 134 stores the generated IPv6 address.
(3) The address information processor 134 notifies the terminal 2 of the generated IPv6 address and an IPv6 default router. According to this processing, the terminal 2 can communicate with apparatuses included in the ISP network 6 and the IPv6 Internet 12 via the customer edge router 3.
(4) The terminal 2 requests the customer edge router 3 to perform setting for transmitting an IPv4 packet to the IPv4 Internet 11.
(5) The customer edge router 3 checks whether user information is stored in the user information processor 133. When user information is not stored in the user information processor 133, the customer edge router 3 stops the processing. On the other hand, when user information is stored in the user information processor 133, the user information processor 133 requests the TEPA processor 131 to provide an endpoint address. The TEPA processor 131 checks whether an endpoint address, which the terminal 2 is permitted to use, is stored in the address information processor 134. When the endpoint address is not stored, the TEPA processor 131 generates an inquiry message. The customer edge router 3 transmits the inquiry message to the authentication server 13 and inquires the authentication server 13 about an endpoint address.
An example of the inquiry message is illustrated in
(6) The authentication server 13 receives the inquiry message from the customer edge router 3. The authentication processor 321 extracts user information included in the inquiry message and checks whether the extracted information is included in the user information table 322. When a combination of a user ID and a password extracted from the inquiry message is included in the user information table 322, the authentication server 13 determines that a request for authentication is received from a user having authority to access the IPv4 Internet 11. Therefore, the authentication server 13 generates an address notification message including an endpoint address stored in association with the user information and returns the address notification message to the customer edge router 3. For example, when the authentication server 13 includes the user information table 322 illustrated in
On the other hand, when the combination of the user ID and the password extracted from the inquiry message is not included in the user information table 322, the authentication server 13 determines that a request for authentication is received from a user not having authority to access the IPv4 Internet 11. Then, the authentication processor 321 transmits an error message for notifying that the user fails in authentication to the customer edge router 3. For example, a value of a message type of the error message is “3”. The error message can be formed similar to the control message illustrated in
(7) The customer edge router 3 receives the control message from the authentication server 13. It is assumed that the customer edge router 3 receives the address notification message. The TEPA processor 131 checks information included in the address notification message. When the TEPA processor 131 acquires an endpoint address from the address notification message, the TEPA processor 131 causes the address information processor 134 to store the endpoint address.
(8) The customer edge router 3 notifies the terminal 2 that the terminal 2 is permitted to access the IPv4 Internet 11. The process (8) is a response message to the request in the process (4).
(9) It is assumed that the terminal 2 generates an IPv4 packet to the IPv4 Internet 11 and transmits the IPv4 packet to the customer edge router 3. In the following explanation, it is assumed that the terminal 2 uses a private address “192.168.0.30” in the private network 1. Then, the terminal 2 transmits an IPv4 packet, in which addresses and ports illustrated in a table 50a are designated with the counter apparatus 14 set as a destination address, to the customer edge router 3.
When the path controller 120 of the customer edge router 3 receives an IPv4 packet, the path controller 120 acquires a transfer destination of the packet referring to the IPv4 routing table 142. When the transfer destination is not the private network 1, the path controller 120 outputs the received packet to the encapsulating processor 132.
Before encapsulating the packet, the encapsulating processor 132 converts an IPv4 private address into an IPv4 global address. The encapsulating processor 132 checks whether an IPv4 global address and a port number corresponding to the IPv4 private address and a port number used by the terminal 2 are stored in the NAPT table 143. In the example illustrated in
The address information processor 134 confirms that an IPv6 prefix distributed from the IPv6 router 5 corresponds to an IPv6 prefix for SAM. When the distributed prefix is the IPv6 prefix for SAM, the address information processor 134 calculates a value of the number of bits not included in the prefix for SAM in the distributed prefix.
Distributed prefix: 2001:db8:abcd::/48
IPv6 prefix for SAM: 2001:db8::/32
Therefore, it is possible to identify respective customer edge routers 3 according to lower-order 16 bits “abcd” in the distributed prefix. In the following explanation, in some case, a bit string that can be used for identification of the customer edge router 3 in the distributed prefix is described as “user identification bit string”. The address information processor 134 calculates an IPv4 global address and a port number from the IPv4 prefix for SAM and the user identification bit string.
The address information processor 134 calculates a difference between the length of the IPv4 prefix for SAM and the length of the IPv4 global address and acquires the number of bits same as the difference from higher order of the user identification bit string. The address information processor 134 sets, as an IPv4 global address, an address obtained by connecting the acquired bit string after the IPv4 prefix for SAM. Since the IPv4 prefix for SAM is 24 bits and the IPv4 global address is 32 bits, the difference is 8 bits. Therefore, if “ab” of first 8 bits of the user identification bit string is connected following the IPv4 prefix for SAM, the IPv4 global address is obtained. “ab” is represented by a decimal number as “171”. Therefore, the IPv4 global address is “192.0.2.171/24”.
Subsequently, the address information processor 134 calculates a port number. The address information processor 134 converts a value representing bits not used for the calculation of the IPv4 global address in the user identification bit string as a binary number and add a port range index. Then, the address information processor 134 converts the obtained binary number into a decimal number. Finally, the information processor 134 sets the obtained decimal number as a port number. The port range index is used for not allocating a port number not used for transmission and reception of user data in communication by SAM to the terminal 2. The port range index is any one of “1”, “01”, “001”, and “0001”. As illustrated in
The address information processor 134 notifies the encapsulating processor 132 of the calculated IPv4 global address and port number. The encapsulating processor 132 replaces a transmission source address and a transmission source port of the packet transmitted from the terminal 2 with the IPv4 global address and the port number notified from the address information processor 134. Further, the encapsulating processor 132 stores a combination of an IPv4 private address and a transmission source port number, which are set in the packet before the address and the like are replaced, in the NAPT table 143 in association with the IPv4 global address after the replacement. An example of the NAPT table 143 is illustrated in
(10) Subsequently, the encapsulating processor 132 encapsulates the packet. The encapsulating processor 132 acquires the endpoint address stored in the address information processor 134 and sets the endpoint address in a destination
IPv6 address of an outer header. As explained in the process (7), it is assumed that the TEPA-A (2001:db8:0:1::1) is stored in the address information processor 134. The encapsulating processor 132 requests the address information processor 134 an IPv6 address of the customer edge router 3. As explained in the process (2), the IPv6 address of the customer edge router 3 is “2001:db8:abcd:1::1”. The encapsulating processor 132 sets the IPv6 address of the customer edge router 3 to a transmission source IP address of the outer header. Therefore, transmission source addresses, destination addresses, and port numbers set in the encapsulated packet are as illustrated in a table 50b. The encapsulating processor 132 outputs the encapsulated packet to the path controller 120. The path controller 120 determines a transfer destination referring to the IPv6 routing table 141 and outputs the transfer destination to the packet transferring processor 113. The packet transferring processor 113 transmits the encapsulated packet to the border router 8. In (10) of
(11) The border router 8 receives a packet addressed to the TEPA-A. It can be said that the terminal 2 for which the TEPA-A can be designated as a destination is notified of the endpoint address from the authentication server 13 as a result of succeeding in authentication in the authentication server 13. Therefore, the border router 8 regards that a packet with an address allocated to the border router 8 set as a destination address of an outer header is a packet from a user who succeeds in authentication in the authentication server 13. Therefore, the border router 8 does not determine whether the packet addressed to the TEPA-A is a packet from a registered user. Accordingly, when the packet addressed to the TEPA-A is input from the packet transferring processor 213, the path controller 220 outputs the packet to the encapsulating processor 231. The encapsulating processor 231 decapsulates the packet addressed to the TEPA-A. Addresses and port numbers included in an IP header of the packet after decapsulation are as illustrated in a table 50c.
The encapsulating processor 231 outputs the packet after decapsulation to the path controller 220. The path controller 220 transfers the packet to the IPv4 Internet 11 referring to the IPv4 routing table 242. The packet is routed in the IPv4 Internet and reaches the counter apparatus 14.
(12) It is assumed that the counter apparatus 14 generates a packet (a response packet) responding to the packet from the terminal 2 received in the process (11). The generated packet is transmitted from the counter apparatus 14 to the border router 8. Addresses and port numbers included in an IPv4 header of a response packet transmitted from the counter apparatus 14 are as illustrated in a table 50d.
(13) When the path controller 220 of the border router 8 receives the IPv4 packet, the path controller 220 acquires a transfer destination of the packet referring to the IPv4 routing table 242. When the transfer destination is not the IPv4 Internet 11, the path controller 220 acquires the IPv4 prefix for SAM from the address information processor 232 and checks whether the IPv4 prefix for SAM coincides with a prefix of a destination address. The path controller 220 outputs a packet, a prefix of a destination IPv4 address of which coincides with the IPv4 prefix for SAM, to the encapsulating processor 231.
The encapsulating processor 231 requests the address information processor 232 to calculate an IPv6 address used for encapsulation. Concerning the destination IPv4 address, the address information processor 232 acquires a bit string other than the IPv4 prefix for SAM and a destination port number. In other words, the address information processor 232 calculates, on the basis of information encircled in the table 50d, a destination IPv6 address used for encapsulation. The destination IPv4 address is “192.0.2.171” and the IPv4 prefix for SAM is “192.0.2.0/24”. Therefore, the address information processor 232 converts “171” corresponding to lower-order 8 bits of the destination IPv4 address into a hexadecimal number divided every four bits. Then, “171” is converted into “ab”.
Subsequently, the address information processor 232 checks the position of the highest bit in which a value “1” is set when the destination port number is represented by a decimal number. When the destination port number is “0x1CD0”, when “0x1CD0” is converted into a decimal number, “0001 1100 1101 0000” is obtained. Therefore, since the highest bit in which the value “1” is set is a fourth bit, “0001” is a port range index added for calculation of a port number.
The address information processor 232 calculates the number of bits used for calculation of an address from a bit string representing a port number. The length of a user-distributed IPv6 prefix is 48 bits. Since the length of the IPv6 prefix for SAM is 32 bits, a user identification bit string is 16 bits. Information for 8 bits obtained by subtracting the length of the IPv4 prefix for SAM from the length of the destination IPv4 address is already acquired from the destination IPv4 address. Therefore, information for 16−8=8 bits only has to be acquired from the destination port number. Accordingly, the address information processor 232 acquires 8 bits (11001101) following the port range index from the bit string representing the destination port number and converts the 8 bits into a hexadecimal number (cd). The obtained value “cd” is connected after the value calculated from the destination IPv4 address, whereby “abcd” indicating a value of a user identification bit string as a hexadecimal number is obtained.
The address information processor 232 connects the user identification bit string after the IPv6 prefix for SAM to thereby calculate a prefix distributed to the customer edge router 3 as “2001:db8:abcd:/48”. The address information processor 232 calculates an IPv6 address of the customer edge router 3 as “2001:db8:abcd:1::1” according to the address generation rules (d) and (e). The address information processor 232 notifies the encapsulating processor 231 of the IPv6 address of the customer edge router 3. Further, the address information processor 232 also notifies an IPv6 address used by the border router 8 in transmitting a packet to the customer edge router 3. It is assumed that the TEPA-A is used for the transmission of the packet to the customer edge router 3.
The encapsulating processor 231 encapsulates the packet using the address notified from the address information processor 232. Addresses and port numbers included in an outer header and an inner header of the encapsulated packet are as illustrated in a table 50e. The encapsulated packet is transmitted from the border router 8 to the customer edge router 3 via the IPv6 router 5.
(14) The customer edge router 3 receives the packet from the border router 8. The path controller 120 of the customer edge router 3 outputs a packet input from the packet transferring processor 113 to the encapsulating processor 132. The encapsulating processor 132 decapsulates the packet. Further, the encapsulating processor 132 searches through the NAPT table 143 with the IPv4 global address as a key and acquires an IPv4 private address and a port number. The encapsulating processor 132 rewrites a destination address of the IPv4 header and a destination port number with values obtained from the NAPT table 143. The IPv4 header after the rewriting is as illustrated in a table 50f. The encapsulating processor 132 outputs the packet with the IPv4 header converted to the path controller 120. The path controller 120 transmits the packet to the terminal 2 referring to the IPv4 routing table 142.
When the border router 8 receives a packet from the counter apparatus 14 included in the IPv4 Internet 11, the address information processor 232 checks whether a destination IPv4 address of the received packet includes an IPv4 prefix for SAM (step S31). When a prefix of the destination IPv4 address coincides with the IPv4 prefix for SAM, the address information processor 232 calculates an IPv6 prefix acquired by the customer edge router 3. At this point, the destination IPv4 address, the destination port number, and the IPv6 prefix for SAM are used (step S32). Further, the address information processor 232 calculates, using the IPv6 prefix acquired by the customer edge router 3 and the address determination rules, an IPv6 address used by the customer edge router 3 (step S33). The encapsulating processor 231 encapsulates the received packet. At this point, a transmission source address of an outer header is the address for local side transmission and a destination address is the IPv6 address calculated by the address information processor 232 (step S34). The path controller 220 transfers the packet encapsulated by the encapsulating processor 231 to the IPv6 router 7 according to the IPv6 routing table 241 (step S35). On the other hand, when the prefix of the IPv4 address does not coincide with the IPv4 prefix for SAM in step S31, the path controller 220 transfers the packet according to the IPv4 routing table 242 (step S36).
As explained with reference to
<Second Embodiment>
In a second embodiment, plural endpoint addresses are allocated to a border router 20. The border router 20 can determine, on the basis of an address designated as a destination of a received packet, a transfer destination of the packet.
The transfer setting table 251 stores information for designating a transfer destination of a packet in association with each of the endpoint addresses (TEPAs) allocated to the border router 20.
When an operator permits connection to the IPv4 Internet 11 for each user in advance, the operator determines whether the user is allowed to pass through a network such as the ISP network 9 between the border router 20 and the IPv4 Internet 11. For example, it is assumed that the operator desires to process a packet transmitted from a user A in the ISP network 9 before connection to the IPv4 Internet 11. Further, it is assumed that, concerning a user B, the operator determines to transmit a packet to the IPv4 Internet 11 not via the ISP network 9. Then, the operator registers endpoint addresses corresponding to transfer destinations of users in the user information table 322 of the authentication server 13 in advance in association with user information of the users.
For example, as illustrated in
After the registration is performed, communication from the terminal 2 belonging to the private network 1 to the counter apparatus 14 included in the IPv4 Internet 11 is performed. The operation of the processes (1) to (5) is as explained with reference to
Processing in the processes (7) to (10) is similar to that in the first embodiment. In the process (11), in this embodiment, when the encapsulating processor 231 outputs the packet after decapsulation to the path controller 220, the encapsulating processor 231 notifies the path controller 220 of the destination address included in the outer header. When the path controller 220 transfers the decapsulated packet, the path controller 220 searches through the transfer setting table 251 with the notified destination address as a key. The path controller 220 transfers the packet after decapsulation to a destination set in the transfer setting table 251. For example, when the transfer setting table 251 illustrated in
According to this embodiment, packets from users can be apportioned according to service policies determined for the respective users. Therefore, for example, a packet from a user whose access an ISP provider desires to monitor can be transferred to the ISP network 9. On the other hand, access from a user not set as a monitoring target is transferred to the IPv4 Internet 11 not via the ISP network 9.
Since a transfer destination is determined in association with a TEPA, a change of a transfer destination of the decapsulated packet is easily performed by changing the TEPA. In other words, when a change of a path through which the packet passes is performed, a TEPA associated with a user for whom the change of the path is performed is changed in the user information table 322 of the authentication server 13 according to a transfer destination of the packet after decapsulation.
<Third Embodiment>
In a third embodiment, a method of apportioning packets according to services used by a user when the user has a contract with plural providers and ISP networks 9 of plural ISPs are connected to the ISP network 6 is explained.
The private network 1, the line provider network 4, the ISP network 6, the IPv4 Internet 11, and the IPv6 Internet 12 are similar to those in the first and second embodiments. The operations of the customer edge router 3, the authentication server 13, and the IPv6 routers 5 and 7 are similar to those in the first and second embodiments. The operation of the border router 20 is similar to that in the second embodiment.
It is assumed that user information obtained by the user of the terminal 2 through a contract with the provider A is a combination of a user ID “user1” and a password “password9a”. On the other hand, it is assumed that user information obtained through a contract of the user with the provider B is a combination of a user ID “userA” and a password “password9b”. The terminal 2 causes the user information processor 133 of the customer edge router 3 to store the user IDs and the passwords obtained from both the provider A and the provider B. It is assumed that, although the terminal 2 also stores both the user information of the provider A and the user information of the provider B, in performing communication, the terminal 2 selects a service of any one of the providers provided to the terminal 2 and enables setting of the selected provider and then performs communication. The terminal 2 notifies the customer edge router 3 of the user information enabled when the communication is started.
The customer edge router 3 inquires the authentication server 13 about a TEPA associated with the user information notified from the terminal 2. An inquiry message used for the inquiry is similar to that in the first embodiment. The authentication server 13 notifies the customer edge router 3 of the TEPA on the basis of information recorded in the user information table 322. For example, it is assumed that the user information table 322 is as illustrated in
Enapsulating in the customer edge router 3 is performed using the TEPA notified from the authentication server 13. The border router 20 determines a transfer destination according to the TEPA included in the received packet. For example, it is assumed that the transfer setting table 251 is as illustrated in
In this way, a transfer destination can be changed according to a provider that provides a service. Therefore, in a network in which plural providers provide the ISP networks 9 as illustrated in
<Fourth Embodiment>
In a fourth embodiment, a case in which plural private networks 1 (1a and 1b) are connected to the line provider network 4 is explained.
It is assumed that user information of a user of the terminal 2a is a combination of a user ID “user1” and a password “password11”. On the other hand, it is assumed that user information of a user of the terminal 2b is a combination of a user ID “user2” and a password “password12”. Further, it is assumed that the customer edge router 3a has stored therein the user information of the terminal 2a and the customer edge router 3b has stored therein the user information of the terminal 2b.
Since the user information of the terminal 2a is included in an inquiry message transmitted from the customer edge router 3a, the authentication server 13 notifies the customer edge router 3a of the TEPA-A referring to the user information table 322. Similarly, since the user information of the terminal 2b is included in an inquiry message from the customer edge router 3b, a TEPA-C is notified to the customer edge router 3b. Therefore, a packet encapsulated by the customer edge router 3a is addressed to the TEPA-A and a packet encapsulated by the customer edge router 3b is addressed to the TEPA-B.
The border router 20 transfers a packet received from the customer edge router 3a to the ISP network 9 referring to the transfer setting table 251. On the other hand, the border router 20 directly transfers a packet received from the customer edge router 3b to the IPv4 Internet 11. Therefore, when the terminal 2a and the terminal 2b perform communication, a packet from the terminal 2a is transferred to the IPv4 Internet 11 through the ISP network 9 and a packet from the terminal 2b is transferred to the IPv4 Internet 11 not through the ISP network 9.
<Others>
The embodiments are not limited to the above and can be variously modified. Several examples of the modification are explained below.
An example of a network is illustrated in
The forms of the control messages such as the inquiry message and the address notification message can be changed according to implementation. For example, the control messages can include a Transmission Control Protocol (TCP) header instead of the UDP header. In some case, the authentication performed between the customer edge router 3 and the authentication server 13 is performed using a Remote Authentication Dial In User Service (RADIUS) protocol or the like instead of using the inquiry message or the address notification message.
Further, the operator can modify the TEPA such that a value of the TEPA is changed at every fixed time and prevent access from an unauthorized user who happens to known the TEPA. Every time the TEPA is changed, the user information table 322 and the transfer setting table 251 are changed. When the TEPA is changed, since the TEPA stored in the customer edge router 3 cannot be used, the customer edge router 3 obtains the TEPA after the change by performing the processing in the process (5) and subsequent processes explained with reference to
According to the method explained above, it is possible to easily perform both of prevention of unauthorized access in a communication service using tunneling and management of a system.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions, nor does the organization of such examples in the specification relate to a illustrating of the superiority and inferiority of the invention. Although the embodiments of the present invention have been described in detail, it should be understood that the various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the invention.
Patent | Priority | Assignee | Title |
9015346, | Nov 29 2010 | Telefonaktiebolaget L M Ericsson (publ) | Identification of a private device in a public network |
9762484, | Oct 11 2012 | Cable Television Laboratories, Inc. | Role based router functionality |
9800545, | Oct 11 2012 | Cable Television Laboratories, Inc | Role based router functionality |
Patent | Priority | Assignee | Title |
6856620, | Sep 08 2000 | Fujitsu Limited | Method and system for transporting packet-switched control traffic in an optical network |
7430204, | Mar 26 2004 | Canon Kabushiki Kaisha | Internet protocol tunnelling using templates |
20050172333, | |||
EP1560396, | |||
EP1580958, | |||
JP2003115834, | |||
JP2005218088, | |||
JP2005287034, | |||
JP2006352710, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 09 2011 | NISHIYAMA, TAKESHI | Fujitsu Limited | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027608 | /0423 | |
Jan 26 2012 | Fujitsu Limited | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Nov 16 2017 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jan 17 2022 | REM: Maintenance Fee Reminder Mailed. |
Jul 04 2022 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
May 27 2017 | 4 years fee payment window open |
Nov 27 2017 | 6 months grace period start (w surcharge) |
May 27 2018 | patent expiry (for year 4) |
May 27 2020 | 2 years to revive unintentionally abandoned end. (for year 4) |
May 27 2021 | 8 years fee payment window open |
Nov 27 2021 | 6 months grace period start (w surcharge) |
May 27 2022 | patent expiry (for year 8) |
May 27 2024 | 2 years to revive unintentionally abandoned end. (for year 8) |
May 27 2025 | 12 years fee payment window open |
Nov 27 2025 | 6 months grace period start (w surcharge) |
May 27 2026 | patent expiry (for year 12) |
May 27 2028 | 2 years to revive unintentionally abandoned end. (for year 12) |